Apple Pay provisioning fraud hole “has to get plugged now”

“Rampant” fraud levels being experienced by US card issuers that have signed up for Apple Pay need to be addressed with urgency, payments consultant Cherian Abraham has told NFC World, to avoid Apple, the individual banks and tokenized mobile payments as a whole suffering a reputational damage.

ABRAHAM: Provisioning fraud warning

The problem lies with the way in which Apple Pay handles requests to provision a card onto a device, Abraham, the mobile commerce and payments lead at Experian Global Consulting, explains. Fraudsters can enrol other people’s cards into Apple Pay on their own devices with relative ease.

And, unless the current problem is fixed urgently, rising fraud levels could lead to some smaller banks deciding to pull out of the high profile mobile payments service, he warns.

In a blog post published earlier this week, Abraham explains that there are three ways in which a card provisioning request is handled by Apple Pay:

A Green Path, where the card is provisioned without referral to the issuer

A Red Path, where the provisioning request is declined without referral to the issuer

A Yellow Path, where the provisioning request is referred to the card issuer for an approval decision.

It is the Yellow Path that is causing the issues, Abraham explained, since banks are not currently well positioned to make this kind of decision.

“Within the Yellow Path, it is up to each and every issuer to implement the best way possible in terms of doing customer-level verification,” he said. “What we have seen since the Apple Pay launch is that mainly most of the issuers are opting to use call centres as their tool of choice for customer-level verification.

“That’s the issue primarily because what the call centre reps are using to verify the customer is the last four digits of their security number, which isn’t really much of a hurdle for the fraudster to pass. Apple Pay did not make Yellow Path implementations mandatory until about four weeks before Apple Pay launched.

“That was a huge deal because, until then, apart from a couple of issuers who launched with Apple Pay, others had no way of anticipating what would happen if requests were to come down the Yellow Path”.

“The problem is that the smaller and medium sized banks are not going to be able to respond that quickly, they’re not going to be able to build anything of scale that quickly and neither will they have the stomach to stand the kind of losses that they’re likely to see,” Abraham continued.

“They’re going to be buried because this will bring fraud to their doorstep and they will be ill-equipped to answer that, and fraudsters are pretty savvy to understand that they have to go after the smaller ones that don’t have the sophistication, the level of tool set that can help them fight that fraud. That’s where the risk is, for the mid-to-smaller guys that will get buried when they see the scale of fraud that the larger issuers have seen since the beginning — that is the risk.”

Apple Pay also has the potential to cause reputational risk,” Abraham added. “There’s a reputational risk from a bank standpoint, not from a consumer standpoint. Consumers haven’t exactly caught on to Apple Pay fraud because they are protected by the issuer and no customer today is able to differentiate between fraud coming in by somebody stealing their card and walking in to a store and committing fraud with it versus having their credentials provisioned through an Apple Pay device.

“That level of information doesn’t trickle down to the customer. They never really see, or neither are they able to associate, the fraud they have seen on their account with Apple Pay. The reputational risk is more to Apple from their partners, rather than from consumers.

“If banks start to pull out because the levels of fraud are too high, whether they pull out for temporary relief or until they deploy better measures, then customers are going to notice and then customers are going to notice that this is because their bank is unable to tackle the level of fraud that they are seeing from this and then that could send the wrong kind of messages to Apple in terms of the security of its product.

“So this is something that has to get plugged, regardless of how secure the rest of that infrastructure, the rest of that stack, is and this is far bigger than Apple Pay too. Banks have to look beyond Apple Pay and think about other entities that will introduce consumer tokenization services. When there is true scale in Apple Pay in terms of the number of customers signing up, it will only attract more fraud and this has to get plugged before that.”